Merge pull request #3294 from brauner/2020-03-15/fixes

memory_utils: improvements

Merge pull request #3294 from brauner/2020-03-15/fixes
1f423252 · Stéphane Graber · GitHub · 2b1ec4b9 · 644e7393 · 1f423252
Unverified Commit 1f423252 authored Mar 15, 2020 by Stéphane Graber Committed by GitHub Mar 15, 2020
20 changed files
--- a/src/lxc/af_unix.c
+++ b/src/lxc/af_unix.c
@@ -53,7 +53,7 @@ static ssize_t lxc_abstract_unix_set_sockaddr(struct sockaddr_un *addr,
 int lxc_abstract_unix_open(const char *path, int type, int flags)
 {
-	__do_close_prot_errno int fd = -EBADF;
+	__do_close int fd = -EBADF;
 	int ret;
 	ssize_t len;
 	struct sockaddr_un addr;
@@ -90,7 +90,7 @@ void lxc_abstract_unix_close(int fd)
 int lxc_abstract_unix_connect(const char *path)
 {
-	__do_close_prot_errno int fd = -EBADF;
+	__do_close int fd = -EBADF;
 	int ret;
 	ssize_t len;
 	struct sockaddr_un addr;
@@ -326,7 +326,7 @@ int lxc_unix_sockaddr(struct sockaddr_un *ret, const char *path)
 int lxc_unix_connect_type(struct sockaddr_un *addr, int type)
 {
-	__do_close_prot_errno int fd = -EBADF;
+	__do_close int fd = -EBADF;
 	int ret;
 	ssize_t len;

--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -131,7 +131,7 @@ static void lxc_proc_put_context_info(struct lxc_proc_context_info *ctx)
 */
 static int in_same_namespace(pid_t pid1, pid_t pid2, const char *ns)
 {
-	__do_close_prot_errno int ns_fd1 = -1, ns_fd2 = -1;
+	__do_close int ns_fd1 = -EBADF, ns_fd2 = -EBADF;
 	int ret = -1;
 	struct stat ns_st1, ns_st2;
@@ -1176,7 +1176,7 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
 			 */
 			ret = cgroup_attach(name, lxcpath, pid);
 			if (ret) {
-				__do_cgroup_exit struct cgroup_ops *cgroup_ops = NULL;
+				call_cleaner(cgroup_exit) struct cgroup_ops *cgroup_ops = NULL;
 				cgroup_ops = cgroup_init(conf);
 				if (!cgroup_ops)

--- a/src/lxc/caps.c
+++ b/src/lxc/caps.c
@@ -15,14 +15,17 @@
 #include "file_utils.h"
 #include "log.h"
 #include "macro.h"
+#include "memory_utils.h"
 lxc_log_define(caps, lxc);
 #if HAVE_LIBCAP
+define_cleanup_function(cap_t, cap_free);
 int lxc_caps_down(void)
 {
-	cap_t caps;
+	call_cleaner(cap_free) cap_t caps = NULL;
 	int ret = -1;
 	/* When we are root, we don't want to play with capabilities. */
@@ -30,34 +33,23 @@ int lxc_caps_down(void)
 		return 0;
 	caps = cap_get_proc();
-	if (!caps) {
+	if (!caps)
-		SYSERROR("Failed to retrieve capabilities");
+		return log_error_errno(ret, errno, "Failed to retrieve capabilities");
-		return ret;
-	}
 	ret = cap_clear_flag(caps, CAP_EFFECTIVE);
-	if (ret) {
+	if (ret)
-		SYSERROR("Failed to clear effective capabilities");
+		return log_error_errno(ret, errno, "Failed to clear effective capabilities");
-		goto on_error;
-	}
 	ret = cap_set_proc(caps);
-	if (ret) {
+	if (ret)
-		SYSERROR("Failed to change effective capabilities");
+		return log_error_errno(ret, errno, "Failed to change effective capabilities");
-		goto on_error;
-	}
-	ret = 0;
-on_error:
+	return 0;
-	cap_free(caps);
-	return ret;
 }
 int lxc_caps_up(void)
 {
-	cap_t caps;
+	call_cleaner(cap_free) cap_t caps = NULL;
 	cap_value_t cap;
 	int ret = -1;
@@ -66,10 +58,8 @@ int lxc_caps_up(void)
 		return 0;
 	caps = cap_get_proc();
-	if (!caps) {
+	if (!caps)
-		SYSERROR("Failed to retrieve capabilities");
+		return log_error_errno(ret, errno, "Failed to retrieve capabilities");
-		return ret;
-	}
 	for (cap = 0; cap <= CAP_LAST_CAP; cap++) {
 		cap_flag_value_t flag;
@@ -80,49 +70,36 @@ int lxc_caps_up(void)
 				INFO("Last supported cap was %d", cap - 1);
 				break;
 			} else {
-				SYSERROR("Failed to retrieve setting for "
+				return log_error_errno(ret, errno, "Failed to retrieve setting for permitted capability %d", cap - 1);
-					 "permitted capability %d", cap - 1);
-				goto on_error;
 			}
 		}
 		ret = cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, flag);
-		if (ret) {
+		if (ret)
-			SYSERROR("Failed to set effective capability %d", cap - 1);
+			return log_error_errno(ret, errno, "Failed to set effective capability %d", cap - 1);
-			goto on_error;
-		}
 	}
 	ret = cap_set_proc(caps);
-	if (ret) {
+	if (ret)
-		SYSERROR("Failed to change effective capabilities");
+		return log_error_errno(ret, errno, "Failed to change effective capabilities");
-		goto on_error;
-	}
-	ret = 0;
-on_error:
-	cap_free(caps);
-	return ret;
+	return 0;
 }
 int lxc_ambient_caps_up(void)
 {
+	call_cleaner(cap_free) cap_t caps = NULL;
+	__do_free char *cap_names = NULL;
 	int ret;
-	cap_t caps;
 	cap_value_t cap;
 	int last_cap = CAP_LAST_CAP;
-	char *cap_names = NULL;
 	if (!getuid() || geteuid())
 		return 0;
 	caps = cap_get_proc();
-	if (!caps) {
+	if (!caps)
-		SYSERROR("Failed to retrieve capabilities");
+		return log_error_errno(-1, errno, "Failed to retrieve capabilities");
-		return -1;
-	}
 	for (cap = 0; cap <= CAP_LAST_CAP; cap++) {
 		cap_flag_value_t flag;
@@ -135,51 +112,37 @@ int lxc_ambient_caps_up(void)
 				break;
 			}
-			SYSERROR("Failed to retrieve capability flag");
+			return log_error_errno(ret, errno, "Failed to retrieve capability flag");
-			goto out;
 		}
 		ret = cap_set_flag(caps, CAP_INHERITABLE, 1, &cap, flag);
-		if (ret < 0) {
+		if (ret < 0)
-			SYSERROR("Failed to set capability flag");
+			return log_error_errno(ret, errno, "Failed to set capability flag");
-			goto out;
-		}
 	}
 	ret = cap_set_proc(caps);
-	if (ret < 0) {
+	if (ret < 0)
-		SYSERROR("Failed to set capabilities");
+		return log_error_errno(ret, errno, "Failed to set capabilities");
-		goto out;
-	}
 	for (cap = 0; cap <= last_cap; cap++) {
 		ret = prctl(PR_CAP_AMBIENT, prctl_arg(PR_CAP_AMBIENT_RAISE),
 			    prctl_arg(cap), prctl_arg(0), prctl_arg(0));
-		if (ret < 0) {
+		if (ret < 0)
-			SYSWARN("Failed to raise ambient capability %d", cap);
+			return log_warn_errno(ret, errno, "Failed to raise ambient capability %d", cap);
-			goto out;
-		}
 	}
 	cap_names = cap_to_text(caps, NULL);
-	if (!cap_names) {
+	if (!cap_names)
-		SYSWARN("Failed to convert capabilities %d", cap);
+		return log_warn_errno(0, errno, "Failed to convert capabilities %d", cap);
-		goto out;
-	}
 	TRACE("Raised %s in inheritable and ambient capability set", cap_names);
-out:
-	cap_free(cap_names);
-	cap_free(caps);
 	return 0;
 }
 int lxc_ambient_caps_down(void)
 {
+	call_cleaner(cap_free) cap_t caps = NULL;
 	int ret;
-	cap_t caps;
 	cap_value_t cap;
 	if (!getuid() || geteuid())
@@ -187,33 +150,23 @@ int lxc_ambient_caps_down(void)
 	ret = prctl(PR_CAP_AMBIENT, prctl_arg(PR_CAP_AMBIENT_CLEAR_ALL),
 		    prctl_arg(0), prctl_arg(0), prctl_arg(0));
-	if (ret < 0) {
+	if (ret < 0)
-		SYSERROR("Failed to clear ambient capability set");
+		return log_error_errno(-1, errno, "Failed to clear ambient capability set");
-		return -1;
-	}
 	caps = cap_get_proc();
-	if (!caps) {
+	if (!caps)
-		SYSERROR("Failed to retrieve capabilities");
+		return log_error_errno(-1, errno, "Failed to retrieve capabilities");
-		return -1;
-	}
 	for (cap = 0; cap <= CAP_LAST_CAP; cap++) {
 		ret = cap_set_flag(caps, CAP_INHERITABLE, 1, &cap, CAP_CLEAR);
-		if (ret < 0) {
+		if (ret < 0)
-			SYSERROR("Failed to remove capability from inheritable set");
+			return log_error_errno(-1, errno, "Failed to clear capability");
-			goto out;
-		}
 	}
 	ret = cap_set_proc(caps);
-	if (ret < 0) {
+	if (ret < 0)
-		SYSERROR("Failed to set capabilities");
+		return log_error_errno(ret, errno, "Failed to set capabilities");
-		goto out;
-	}
-out:
-	cap_free(caps);
 	return 0;
 }
@@ -233,29 +186,21 @@ int lxc_caps_init(void)
 		INFO("Command is run as setuid root (uid: %d)", uid);
 		ret = prctl(PR_SET_KEEPCAPS, prctl_arg(1));
-		if (ret < 0) {
+		if (ret < 0)
-			SYSERROR("Failed to set PR_SET_KEEPCAPS");
+			return log_error_errno(-1, errno, "Failed to set PR_SET_KEEPCAPS");
-			return -1;
-		}
 		gid = getgid();
 		ret = setresgid(gid, gid, gid);
-		if (ret < 0) {
+		if (ret < 0)
-			SYSERROR("Failed to change rgid, egid, and sgid to %d", gid);
+			return log_error_errno(-1, errno, "Failed to change rgid, egid, and sgid to %d", gid);
-			return -1;
-		}
 		ret = setresuid(uid, uid, uid);
-		if (ret < 0) {
+		if (ret < 0)
-			SYSERROR("Failed to change ruid, euid, and suid to %d", uid);
+			return log_error_errno(-1, errno, "Failed to change ruid, euid, and suid to %d", uid);
-			return -1;
-		}
 		ret = lxc_caps_up();
-		if (ret < 0) {
+		if (ret < 0)
-			SYSERROR("Failed to restore capabilities");
+			return log_error_errno(-1, errno, "Failed to restore capabilities");
-			return -1;
-		}
 	}
 	if (uid == euid)
@@ -320,10 +265,8 @@ static bool lxc_cap_is_set(cap_t caps, cap_value_t cap, cap_flag_t flag)
 	cap_flag_value_t flagval;
 	ret = cap_get_flag(caps, cap, flag, &flagval);
-	if (ret < 0) {
+	if (ret < 0)
-		SYSERROR("Failed to retrieve current setting for capability %d", cap);
+		return log_error_errno(false, errno, "Failed to retrieve current setting for capability %d", cap);
-		return false;
-	}
 	return flagval == CAP_SET;
 }
@@ -331,8 +274,7 @@ static bool lxc_cap_is_set(cap_t caps, cap_value_t cap, cap_flag_t flag)
 bool lxc_file_cap_is_set(const char *path, cap_value_t cap, cap_flag_t flag)
 {
 #if LIBCAP_SUPPORTS_FILE_CAPABILITIES
-	bool cap_is_set;
+	call_cleaner(cap_free) cap_t caps = NULL;
-	cap_t caps;
 	caps = cap_get_file(path);
 	if (!caps) {
@@ -347,9 +289,7 @@ bool lxc_file_cap_is_set(const char *path, cap_value_t cap, cap_flag_t flag)
 		return false;
 	}
-	cap_is_set = lxc_cap_is_set(caps, cap, flag);
+	return lxc_cap_is_set(caps, cap, flag);
-	cap_free(caps);
-	return cap_is_set;
 #else
 	errno = ENODATA;
 	return false;
@@ -358,17 +298,12 @@ bool lxc_file_cap_is_set(const char *path, cap_value_t cap, cap_flag_t flag)
 bool lxc_proc_cap_is_set(cap_value_t cap, cap_flag_t flag)
 {
-	bool cap_is_set;
+	call_cleaner(cap_free) cap_t caps = NULL;
-	cap_t caps;
 	caps = cap_get_proc();
-	if (!caps) {
+	if (!caps)
-		SYSERROR("Failed to retrieve capabilities");
+		return log_error_errno(false, errno, "Failed to retrieve capabilities");
-		return false;
-	}
-	cap_is_set = lxc_cap_is_set(caps, cap, flag);
+	return lxc_cap_is_set(caps, cap, flag);
-	cap_free(caps);
-	return cap_is_set;
 }
 #endif
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -494,7 +494,7 @@ static int cg_legacy_handle_cpuset_hierarchy(struct hierarchy *h,
 					     const char *cgroup_leaf)
 {
 	__do_free char *parent_cgroup = NULL, *child_cgroup = NULL, *dup = NULL;
-	__do_close_prot_errno int cgroup_fd = -EBADF;
+	__do_close int cgroup_fd = -EBADF;
 	int fret = -1;
 	int ret;
 	char v;
@@ -1169,10 +1169,10 @@ static void cgroup_remove_leaf(struct hierarchy *h, bool payload)
 	__do_free char *full_path = NULL;
 	if (payload) {
-		__lxc_unused __do_close_prot_errno int fd = move_fd(h->cgfd_con);
+		__lxc_unused __do_close int fd = move_fd(h->cgfd_con);
 		full_path = move_ptr(h->container_full_path);
 	} else {
-		__lxc_unused __do_close_prot_errno int fd = move_fd(h->cgfd_mon);
+		__lxc_unused __do_close int fd = move_fd(h->cgfd_mon);
 		full_path = move_ptr(h->monitor_full_path);
 	}
@@ -1866,7 +1866,7 @@ static bool cg_legacy_freeze(struct cgroup_ops *ops)
 static int freezer_cgroup_events_cb(int fd, uint32_t events, void *cbdata,
 				    struct lxc_epoll_descr *descr)
 {
-	__do_close_prot_errno int duped_fd = -EBADF;
+	__do_close int duped_fd = -EBADF;
 	__do_free char *line = NULL;
 	__do_fclose FILE *f = NULL;
 	int state = PTR_TO_INT(cbdata);
@@ -1899,7 +1899,7 @@ static int freezer_cgroup_events_cb(int fd, uint32_t events, void *cbdata,
 static int cg_unified_freeze(struct cgroup_ops *ops, int timeout)
 {
-	__do_close_prot_errno int fd = -EBADF;
+	__do_close int fd = -EBADF;
 	__do_lxc_mainloop_close struct lxc_epoll_descr *descr_ptr = NULL;
 	int ret;
 	struct lxc_epoll_descr descr;
@@ -1967,7 +1967,7 @@ static int cg_legacy_unfreeze(struct cgroup_ops *ops)
 static int cg_unified_unfreeze(struct cgroup_ops *ops, int timeout)
 {
-	__do_close_prot_errno int fd = -EBADF;
+	__do_close int fd = -EBADF;
 	__do_lxc_mainloop_close struct lxc_epoll_descr *descr_ptr = NULL;
 	int ret;
 	struct lxc_epoll_descr descr;
@@ -2099,7 +2099,7 @@ static int cgroup_attach_leaf(int unified_fd, int64_t pid)
 int cgroup_attach(const char *name, const char *lxcpath, int64_t pid)
 {
-	__do_close_prot_errno int unified_fd = -EBADF;
+	__do_close int unified_fd = -EBADF;
 	unified_fd = lxc_cmd_get_cgroup2_fd(name, lxcpath);
 	if (unified_fd < 0)
@@ -2121,7 +2121,7 @@ static int __cg_unified_attach(const struct hierarchy *h, const char *name,
 			       const char *lxcpath, pid_t pid,
 			       const char *controller)
 {
-	__do_close_prot_errno int unified_fd = -EBADF;
+	__do_close int unified_fd = -EBADF;
 	int ret;
 	ret = cgroup_attach(name, lxcpath, pid);

--- a/src/lxc/cgroups/cgroup.h
+++ b/src/lxc/cgroups/cgroup.h
@@ -8,6 +8,7 @@
 #include <sys/types.h>
 #include "macro.h"
+#include "memory_utils.h"
 #define DEFAULT_CGROUP_MOUNTPOINT "/sys/fs/cgroup"
 #define DEFAULT_PAYLOAD_CGROUP_PREFIX "lxc.payload."
@@ -171,20 +172,14 @@ struct cgroup_ops {
 };
 extern struct cgroup_ops *cgroup_init(struct lxc_conf *conf);
 extern void cgroup_exit(struct cgroup_ops *ops);
+define_cleanup_function(struct cgroup_ops *, cgroup_exit);
 extern void prune_init_scope(char *cg);
-static inline void __auto_cgroup_exit__(struct cgroup_ops **ops)
-{
-	if (*ops)
-		cgroup_exit(*ops);
-}
 extern int cgroup_attach(const char *name, const char *lxcpath, int64_t pid);
-#define __do_cgroup_exit __attribute__((__cleanup__(__auto_cgroup_exit__)))
 static inline bool pure_unified_layout(const struct cgroup_ops *ops)
 {
 	return ops->cgroup_layout == CGROUP_LAYOUT_UNIFIED;

--- a/src/lxc/cgroups/cgroup2_devices.c
+++ b/src/lxc/cgroups/cgroup2_devices.c
@@ -341,7 +341,7 @@ int bpf_program_cgroup_attach(struct bpf_program *prog, int type,
 			      const char *path, uint32_t flags)
 {
 	__do_free char *copy = NULL;
-	__do_close_prot_errno int fd = -EBADF;
+	__do_close int fd = -EBADF;
 	union bpf_attr attr;
 	int ret;
@@ -396,7 +396,7 @@ int bpf_program_cgroup_attach(struct bpf_program *prog, int type,
 int bpf_program_cgroup_detach(struct bpf_program *prog)
 {
 	int ret;
-	__do_close_prot_errno int fd = -EBADF;
+	__do_close int fd = -EBADF;
 	if (!prog)
 		return 0;

--- a/src/lxc/cmd/lxc_user_nic.c
+++ b/src/lxc/cmd/lxc_user_nic.c
@@ -73,7 +73,7 @@ __noreturn static void usage(bool fail)
 static int open_and_lock(const char *path)
 {
-	__do_close_prot_errno int fd = -EBADF;
+	__do_close int fd = -EBADF;
 	int ret;
 	struct flock lk;

--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
@@ -111,7 +111,7 @@ static const char *lxc_cmd_str(lxc_cmd_t cmd)
 */
 static int lxc_cmd_rsp_recv(int sock, struct lxc_cmd_rr *cmd)
 {
-	__do_close_prot_errno int fd_rsp = -EBADF;
+	__do_close int fd_rsp = -EBADF;
 	int ret;
 	struct lxc_cmd_rsp *rsp = &cmd->rsp;
@@ -214,7 +214,7 @@ static int lxc_cmd_rsp_send(int fd, struct lxc_cmd_rsp *rsp)
 static int lxc_cmd_send(const char *name, struct lxc_cmd_rr *cmd,
 			const char *lxcpath, const char *hashed_sock_name)
 {
-	__do_close_prot_errno int client_fd = -EBADF;
+	__do_close int client_fd = -EBADF;
 	ssize_t ret = -1;
 	client_fd = lxc_cmd_connect(name, lxcpath, hashed_sock_name, "command");
@@ -267,7 +267,7 @@ static int lxc_cmd_send(const char *name, struct lxc_cmd_rr *cmd,
 static int lxc_cmd(const char *name, struct lxc_cmd_rr *cmd, int *stopped,
 		   const char *lxcpath, const char *hashed_sock_name)
 {
-	__do_close_prot_errno int client_fd = -EBADF;
+	__do_close int client_fd = -EBADF;
 	int ret = -1;
 	bool stay_connected = false;
@@ -898,7 +898,7 @@ int lxc_cmd_add_state_client(const char *name, const char *lxcpath,
 			     lxc_state_t states[MAX_STATE],
 			     int *state_client_fd)
 {
-	__do_close_prot_errno int clientfd = -EBADF;
+	__do_close int clientfd = -EBADF;
 	int state, stopped;
 	ssize_t ret;
 	struct lxc_cmd_rr cmd = {
@@ -1217,7 +1217,7 @@ static int lxc_cmd_seccomp_notify_add_listener_callback(int fd,
 #ifdef HAVE_SECCOMP_NOTIFY
 	int ret;
-	__do_close_prot_errno int recv_fd = -EBADF;
+	__do_close int recv_fd = -EBADF;
 	ret = lxc_abstract_unix_recv_fds(fd, &recv_fd, 1, NULL, 0);
 	if (ret <= 0) {
@@ -1505,7 +1505,7 @@ out_close:
 static int lxc_cmd_accept(int fd, uint32_t events, void *data,
 			  struct lxc_epoll_descr *descr)
 {
-	__do_close_prot_errno int connection = -EBADF;
+	__do_close int connection = -EBADF;
 	int opt = 1, ret = -1;
 	connection = accept(fd, NULL, 0);
@@ -1531,7 +1531,7 @@ static int lxc_cmd_accept(int fd, uint32_t events, void *data,
 int lxc_cmd_init(const char *name, const char *lxcpath, const char *suffix)
 {
-	__do_close_prot_errno int fd = -EBADF;
+	__do_close int fd = -EBADF;
 	int ret;
 	char path[LXC_AUDS_ADDR_LEN] = {0};

--- a/src/lxc/commands_utils.c
+++ b/src/lxc/commands_utils.c
@@ -57,7 +57,7 @@ int lxc_cmd_sock_rcv_state(int state_client_fd, int timeout)
 int lxc_cmd_sock_get_state(const char *name, const char *lxcpath,
 			   lxc_state_t states[MAX_STATE], int timeout)
 {
-	__do_close_prot_errno int state_client_fd = -EBADF;
+	__do_close int state_client_fd = -EBADF;
 	int ret;
 	ret = lxc_cmd_add_state_client(name, lxcpath, states, &state_client_fd);

--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -1380,7 +1380,7 @@ int lxc_chroot(const struct lxc_rootfs *rootfs)
 */
 static int lxc_pivot_root(const char *rootfs)
 {
-	__do_close_prot_errno int oldroot = -EBADF, newroot = -EBADF;
+	__do_close int oldroot = -EBADF, newroot = -EBADF;
 	int ret;
 	oldroot = open("/", O_DIRECTORY | O_RDONLY | O_CLOEXEC);
@@ -2193,7 +2193,7 @@ static const char nesting_helpers[] =
 FILE *make_anonymous_mount_file(struct lxc_list *mount,
 				bool include_nesting_helpers)
 {
-	__do_close_prot_errno int fd = -EBADF;
+	__do_close int fd = -EBADF;
 	FILE *f;
 	int ret;
 	char *mount_entry;
@@ -2567,12 +2567,12 @@ struct lxc_conf *lxc_conf_init(void)
 int write_id_mapping(enum idtype idtype, pid_t pid, const char *buf,
 		     size_t buf_size)
 {
-	__do_close_prot_errno int fd = -EBADF;
+	__do_close int fd = -EBADF;
 	int ret;
 	char path[PATH_MAX];
 	if (geteuid() != 0 && idtype == ID_TYPE_GID) {
-		__do_close_prot_errno int setgroups_fd = -EBADF;
+		__do_close int setgroups_fd = -EBADF;
 		ret = snprintf(path, PATH_MAX, "/proc/%d/setgroups", pid);
 		if (ret < 0 || ret >= PATH_MAX)
@@ -3018,7 +3018,7 @@ void remount_all_slave(void)
 {
 	__do_free char *line = NULL;
 	__do_fclose FILE *f = NULL;
-	__do_close_prot_errno int memfd = -EBADF, mntinfo_fd = -EBADF;
+	__do_close int memfd = -EBADF, mntinfo_fd = -EBADF;
 	int ret;
 	ssize_t copied;
 	size_t len = 0;

--- a/src/lxc/file_utils.c
+++ b/src/lxc/file_utils.c
@@ -27,7 +27,7 @@ int lxc_open_dirfd(const char *dir)
 int lxc_readat(int dirfd, const char *filename, void *buf, size_t count)
 {
-	__do_close_prot_errno int fd = -EBADF;
+	__do_close int fd = -EBADF;
 	ssize_t ret;
 	fd = openat(dirfd, filename, O_RDONLY | O_CLOEXEC);
@@ -43,7 +43,7 @@ int lxc_readat(int dirfd, const char *filename, void *buf, size_t count)
 int lxc_writeat(int dirfd, const char *filename, const void *buf, size_t count)
 {
-	__do_close_prot_errno int fd = -EBADF;
+	__do_close int fd = -EBADF;
 	ssize_t ret;
 	fd = openat(dirfd, filename,
@@ -61,7 +61,7 @@ int lxc_writeat(int dirfd, const char *filename, const void *buf, size_t count)
 int lxc_write_openat(const char *dir, const char *filename, const void *buf,
 		     size_t count)
 {
-	__do_close_prot_errno int dirfd = -EBADF;
+	__do_close int dirfd = -EBADF;
 	dirfd = open(dir, O_DIRECTORY | O_RDONLY | O_CLOEXEC | O_NOCTTY | O_NOFOLLOW);
 	if (dirfd < 0)
@@ -73,7 +73,7 @@ int lxc_write_openat(const char *dir, const char *filename, const void *buf,
 int lxc_write_to_file(const char *filename, const void *buf, size_t count,
 		      bool add_newline, mode_t mode)
 {
-	__do_close_prot_errno int fd = -EBADF;
+	__do_close int fd = -EBADF;
 	ssize_t ret;
 	fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT | O_CLOEXEC, mode);
@@ -98,7 +98,7 @@ int lxc_write_to_file(const char *filename, const void *buf, size_t count,
 int lxc_read_from_file(const char *filename, void *buf, size_t count)
 {
-	__do_close_prot_errno int fd = -EBADF;
+	__do_close int fd = -EBADF;
 	ssize_t ret;
 	fd = open(filename, O_RDONLY | O_CLOEXEC);
@@ -203,7 +203,7 @@ ssize_t lxc_read_nointr_expect(int fd, void *buf, size_t count,
 ssize_t lxc_read_file_expect(const char *path, void *buf, size_t count,
 			     const void *expected_buf)
 {
-	__do_close_prot_errno int fd = -EBADF;
+	__do_close int fd = -EBADF;
 	fd = open(path, O_RDONLY | O_CLOEXEC);
 	if (fd < 0)
@@ -268,7 +268,7 @@ int lxc_count_file_lines(const char *fn)
 int lxc_make_tmpfile(char *template, bool rm)
 {
-	__do_close_prot_errno int fd = -EBADF;
+	__do_close int fd = -EBADF;
 	int ret;
 	mode_t msk;
@@ -322,7 +322,7 @@ bool fhas_fs_type(int fd, fs_type_magic magic_val)
 FILE *fopen_cloexec(const char *path, const char *mode)
 {
-	__do_close_prot_errno int fd = -EBADF;
+	__do_close int fd = -EBADF;
 	int open_mode = 0, step = 0;
 	FILE *f;
@@ -430,7 +430,7 @@ static char *fd_to_buf(int fd, size_t *length)
 char *file_to_buf(const char *path, size_t *length)
 {
-	__do_close_prot_errno int fd = -EBADF;
+	__do_close int fd = -EBADF;
 	if (!length)
 		return NULL;
@@ -482,7 +482,7 @@ FILE *fdopen_cached(int fd, const char *mode, void **caller_freed_buffer)
 #else
-	__do_close_prot_errno int dupfd = -EBADF;
+	__do_close int dupfd = -EBADF;
 	dupfd = dup(fd);
 	if (dupfd < 0)

--- a/src/lxc/freezer.c
+++ b/src/lxc/freezer.c
@@ -35,7 +35,7 @@ static void notify_state_listeners(const char *name, const char *lxcpath,
 static int do_freeze_thaw(bool freeze, struct lxc_conf *conf, const char *name,
 			  const char *lxcpath)
 {
-	__do_cgroup_exit struct cgroup_ops *cgroup_ops = NULL;
+	call_cleaner(cgroup_exit) struct cgroup_ops *cgroup_ops = NULL;
 	lxc_state_t new_state = freeze ? FROZEN : THAWED;
 	int ret;
 	const char *state;

--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -140,7 +140,7 @@ enum {
 static int ongoing_create(struct lxc_container *c)
 {
-	__do_close_prot_errno int fd = -EBADF;
+	__do_close int fd = -EBADF;
 	__do_free char *path = NULL;
 	struct flock lk = {0};
 	int ret;
@@ -1976,7 +1976,7 @@ static bool lxcapi_create(struct lxc_container *c, const char *t,
 static bool do_lxcapi_reboot(struct lxc_container *c)
 {
-	__do_close_prot_errno int pidfd = -EBADF;
+	__do_close int pidfd = -EBADF;
 	pid_t pid = -1;
 	int ret;
 	int rebootsignal = SIGINT;
@@ -2012,7 +2012,7 @@ WRAP_API(bool, lxcapi_reboot)
 static bool do_lxcapi_reboot2(struct lxc_container *c, int timeout)
 {
-	__do_close_prot_errno int pidfd = -EBADF, state_client_fd = -EBADF;
+	__do_close int pidfd = -EBADF, state_client_fd = -EBADF;
 	int rebootsignal = SIGINT;
 	pid_t pid = -1;
 	lxc_state_t states[MAX_STATE] = {0};
@@ -2081,7 +2081,7 @@ WRAP_API_1(bool, lxcapi_reboot2, int)
 static bool do_lxcapi_shutdown(struct lxc_container *c, int timeout)
 {
-	__do_close_prot_errno int pidfd = -EBADF, state_client_fd = -EBADF;
+	__do_close int pidfd = -EBADF, state_client_fd = -EBADF;
 	int haltsignal = SIGPWR;
 	pid_t pid = -1;
 	lxc_state_t states[MAX_STATE] = {0};
@@ -3308,8 +3308,7 @@ WRAP_API_1(bool, lxcapi_set_config_path, const char *)
 static bool do_lxcapi_set_cgroup_item(struct lxc_container *c, const char *subsys, const char *value)
 {
-	int ret;
+	call_cleaner(cgroup_exit) struct cgroup_ops *cgroup_ops = NULL;
-	struct cgroup_ops *cgroup_ops;
 	if (!c)
 		return false;
@@ -3321,19 +3320,15 @@ static bool do_lxcapi_set_cgroup_item(struct lxc_container *c, const char *subsy
 	if (!cgroup_ops)
 		return false;
-	ret = cgroup_ops->set(cgroup_ops, subsys, value, c->name, c->config_path);
+	return cgroup_ops->set(cgroup_ops, subsys, value, c->name,
+			       c->config_path) == 0;
-	cgroup_exit(cgroup_ops);
-	return ret == 0;
 }
 WRAP_API_2(bool, lxcapi_set_cgroup_item, const char *, const char *)
 static int do_lxcapi_get_cgroup_item(struct lxc_container *c, const char *subsys, char *retv, int inlen)
 {
-	int ret;
+	call_cleaner(cgroup_exit) struct cgroup_ops *cgroup_ops = NULL;
-	struct cgroup_ops *cgroup_ops;
 	if (!c)
 		return -1;
@@ -3345,12 +3340,8 @@ static int do_lxcapi_get_cgroup_item(struct lxc_container *c, const char *subsys
 	if (!cgroup_ops)
 		return -1;
-	ret = cgroup_ops->get(cgroup_ops, subsys, retv, inlen, c->name,
+	return cgroup_ops->get(cgroup_ops, subsys, retv, inlen, c->name,
-			      c->config_path);
+			       c->config_path);
-	cgroup_exit(cgroup_ops);
-	return ret;
 }
 WRAP_API_3(int, lxcapi_get_cgroup_item, const char *, char *, int)

--- a/src/lxc/memory_utils.h
+++ b/src/lxc/memory_utils.h
@@ -12,23 +12,46 @@
 #include "macro.h"
-#define define_cleanup_attribute(type, func)     \
+#define define_cleanup_function(type, cleaner)           \
-	static inline void func##_ptr(type *ptr) \
+	static inline void cleaner##_function(type *ptr) \
-	{                                        \
+	{                                                \
-		if (*ptr)                        \
+		if (*ptr)                                \
-			func(*ptr);              \
+			cleaner(*ptr);                   \
 	}
+#define call_cleaner(cleaner) __attribute__((__cleanup__(cleaner##_function)))
+#define close_prot_errno_disarm(fd) \
+	if (fd >= 0) {              \
+		int _e_ = errno;    \
+		close(fd);          \
+		errno = _e_;        \
+		fd = -EBADF;        \
+	}
+static inline void close_prot_errno_disarm_function(int *fd)
+{
+       close_prot_errno_disarm(*fd);
+}
+#define __do_close call_cleaner(close_prot_errno_disarm)
+define_cleanup_function(FILE *, fclose);
+#define __do_fclose call_cleaner(fclose)
+define_cleanup_function(DIR *, closedir);
+#define __do_closedir call_cleaner(closedir)
 #define free_disarm(ptr)       \
 	({                     \
 		free(ptr);     \
 		move_ptr(ptr); \
 	})
-static inline void __auto_free__(void *p)
+static inline void free_disarm_function(void *ptr)
 {
-	free(*(void **)p);
+	free_disarm(*(void **)ptr);
 }
+#define __do_free call_cleaner(free_disarm)
 static inline void free_string_list(char **list)
 {
@@ -38,38 +61,8 @@ static inline void free_string_list(char **list)
 		free_disarm(list);
 	}
 }
-define_cleanup_attribute(char **, free_string_list);
+define_cleanup_function(char **, free_string_list);
-#define __do_free_string_list __attribute__((__cleanup__(free_string_list_ptr)))
+#define __do_free_string_list call_cleaner(free_string_list)
-static inline void __auto_fclose__(FILE **f)
-{
-	if (*f)
-		fclose(*f);
-}
-static inline void __auto_closedir__(DIR **d)
-{
-	if (*d)
-		closedir(*d);
-}
-#define close_prot_errno_disarm(fd) \
-	if (fd >= 0) {              \
-		int _e_ = errno;    \
-		close(fd);          \
-		errno = _e_;        \
-		fd = -EBADF;        \
-	}
-static inline void __auto_close__(int *fd)
-{
-	close_prot_errno_disarm(*fd);
-}
-#define __do_close_prot_errno __attribute__((__cleanup__(__auto_close__)))
-#define __do_free __attribute__((__cleanup__(__auto_free__)))
-#define __do_fclose __attribute__((__cleanup__(__auto_fclose__)))
-#define __do_closedir __attribute__((__cleanup__(__auto_closedir__)))
 static inline void *memdup(const void *data, size_t len)
 {

--- a/src/lxc/rexec.c
+++ b/src/lxc/rexec.c
@@ -65,7 +65,7 @@ static int parse_argv(char ***argv)
 static int is_memfd(void)
 {
-	__do_close_prot_errno int fd = -EBADF;
+	__do_close int fd = -EBADF;
 	int seals;
 	fd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC);
@@ -87,7 +87,7 @@ static int is_memfd(void)
 static void lxc_rexec_as_memfd(char **argv, char **envp, const char *memfd_name)
 {
-	__do_close_prot_errno int execfd = -EBADF, fd = -EBADF, memfd = -EBADF,
+	__do_close int execfd = -EBADF, fd = -EBADF, memfd = -EBADF,
 				  tmpfd = -EBADF;
 	int ret;
 	ssize_t bytes_sent = 0;

--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -1299,7 +1299,7 @@ void lxc_seccomp_free(struct lxc_seccomp *seccomp)
 #if HAVE_DECL_SECCOMP_NOTIFY_FD
 static int seccomp_notify_reconnect(struct lxc_handler *handler)
 {
-	__do_close_prot_errno int notify_fd = -EBADF;
+	__do_close int notify_fd = -EBADF;
 	close_prot_errno_disarm(handler->conf->seccomp.notifier.proxy_fd);
@@ -1338,8 +1338,8 @@ int seccomp_notify_handler(int fd, uint32_t events, void *data,
 {
 #if HAVE_DECL_SECCOMP_NOTIFY_FD
-	__do_close_prot_errno int fd_pid = -EBADF;
+	__do_close int fd_pid = -EBADF;
-	__do_close_prot_errno int fd_mem = -EBADF;
+	__do_close int fd_mem = -EBADF;
 	int ret;
 	ssize_t bytes;
 	int send_fd_list[2];
@@ -1514,7 +1514,7 @@ int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
 #if HAVE_DECL_SECCOMP_NOTIFY_FD
 	if (seccomp->notifier.wants_supervision &&
 	    seccomp->notifier.proxy_addr.sun_path[1] != '\0') {
-		__do_close_prot_errno int notify_fd = -EBADF;
+		__do_close int notify_fd = -EBADF;
 		int ret;
 		notify_fd = lxc_unix_connect_type(&seccomp->notifier.proxy_addr,

--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -724,7 +724,7 @@ on_error:
 int lxc_init(const char *name, struct lxc_handler *handler)
 {
-	__do_close_prot_errno int status_fd = -EBADF;
+	__do_close int status_fd = -EBADF;
 	int ret;
 	const char *loglevel;
 	struct lxc_conf *conf = handler->conf;
@@ -1053,9 +1053,9 @@ void lxc_abort(const char *name, struct lxc_handler *handler)
 static int do_start(void *data)
 {
 	struct lxc_handler *handler = data;
-	__lxc_unused __do_close_prot_errno int data_sock0 = handler->data_sock[0],
+	__lxc_unused __do_close int data_sock0 = handler->data_sock[0],
 					   data_sock1 = handler->data_sock[1];
-	__do_close_prot_errno int status_fd = -EBADF;
+	__do_close int status_fd = -EBADF;
 	int ret;
 	uid_t new_uid;
 	gid_t new_gid;
@@ -1557,7 +1557,7 @@ static inline int do_share_ns(void *arg)
 */
 static int lxc_spawn(struct lxc_handler *handler)
 {
-	__do_close_prot_errno int data_sock0 = -EBADF, data_sock1 = -EBADF;
+	__do_close int data_sock0 = -EBADF, data_sock1 = -EBADF;
 	int i, ret;
 	char pidstr[20];
 	bool wants_to_map_ids;

--- a/src/lxc/terminal.c
+++ b/src/lxc/terminal.c
@@ -94,7 +94,7 @@ int lxc_terminal_signalfd_cb(int fd, uint32_t events, void *cbdata,
 struct lxc_terminal_state *lxc_terminal_signal_init(int srcfd, int dstfd)
 {
-	__do_close_prot_errno int signal_fd = -EBADF;
+	__do_close int signal_fd = -EBADF;
 	__do_free struct lxc_terminal_state *ts = NULL;
 	int ret;
 	sigset_t mask;

--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -635,7 +635,7 @@ int detect_shared_rootfs(void)
 bool switch_to_ns(pid_t pid, const char *ns)
 {
-	__do_close_prot_errno int fd = -EBADF;
+	__do_close int fd = -EBADF;
 	int ret;
 	char nspath[STRLITERALLEN("/proc//ns/")
 		    + INTTYPE_TO_STRLEN(pid_t)
@@ -1642,7 +1642,7 @@ uint64_t lxc_find_next_power2(uint64_t n)
 static int process_dead(/* takes */ int status_fd)
 {
-	__do_close_prot_errno int dupfd = -EBADF;
+	__do_close int dupfd = -EBADF;
 	__do_free char *line = NULL;
 	__do_fclose FILE *f = NULL;
 	int ret = 0;

--- a/src/lxc/uuid.c
+++ b/src/lxc/uuid.c
@@ -39,7 +39,7 @@ static lxc_id128_t make_v4_uuid(lxc_id128_t id)
 static int get_random_bytes(void *p, size_t n)
 {
-	__do_close_prot_errno int fd = -1;
+	__do_close int fd = -EBADF;
 	ssize_t bytes = 0;
 	fd = open("/dev/urandom", O_RDONLY | O_CLOEXEC | O_NOCTTY);